Hacking CA system challenge *Tandberg [ NO Keys Allowed in Chat Section/s ]*

[bigs15]

https://github.com/oscam-emu/oscam-emu/wiki/Tandberg-Config

Syntax for AES Keys:
T <key index> AES <key>

where:
key index (1 byte) : 32 keys with indexes from 00 to 1F in hex
identifier (string) : AES
key (16 bytes ) : key in hex format (32 hex characters)

Example:
T 00 AES 11223344556677881122334455667788
T 01 AES 11223344556677881122334455667788

This EAS key can put key ?
T 01 01 3F57F9398854EACFDE42D8A50709CE86D15200

????

 

[bigs15]

nOW 100.5E iMG ASIA 3700 V 30000 tb V.3

 

[morgon]

100.5E IMG Asia T 01 0BIncorrect

 

[slogger26]

IMG 3 on 7E
from log file using new_poc:
[Emu] nano 0xE1, mode 1, entitlementId = 694
[Emu] GetEMMKey: key_index(00), keySet: 2
emm:
83 70 22 00 00 69 50 F0 1C E1 1A 00 00 06 91 01
BC D5 EB D0 FD 8A B1 A4 6D C3 1C DA B8 3B 1E 13
64 46 3D F1 FF
[Emu] nano 0xE1, mode 1, entitlementId = 691
[Emu] GetEMMKey: key_index(00), keySet: 2
ecm:
80 70 2A EC 28 00 00 06 91 FF EB 21 BF EC 81 EA
29 AA 41 49 F9 28 83 CA BB 59 1D E9 59 25 BE 68
36 C9 8C 4C CD C2 CA D8 41 8C 8D 17 E3

 

[fiji]

IMG 3 on 7E
from log file using new_poc:
[Emu] nano 0xE1, mode 1, entitlementId = 694
[Emu] GetEMMKey: key_index(00), keySet: 2
emm:
83 70 22 00 00 69 50 F0 1C E1 1A 00 00 06 91 01
BC D5 EB D0 FD 8A B1 A4 6D C3 1C DA B8 3B 1E 13
64 46 3D F1 FF
[Emu] nano 0xE1, mode 1, entitlementId = 691
[Emu] GetEMMKey: key_index(00), keySet: 2
ecm:
80 70 2A EC 28 00 00 06 91 FF EB 21 BF EC 81 EA
29 AA 41 49 F9 28 83 CA BB 59 1D E9 59 25 BE 68
36 C9 8C 4C CD C2 CA D8 41 8C 8D 17 E3

Upload ts file here .

 

[slogger26]

https://mega.nz/#!x08ETISS!MZtb9HbBuZcybyD8NhDzP7-PveP_r7O-OL1b77Bw0oQ

 

[tani1]

Upload ts file here .

Here we have 10 minutes record about IMG3 EU if anyone is intent on testing something.

https://mega.nz/#!EPZW0KrB!LjrQzfuDNjbIZKU3YpqdxLLFR5NPGjtOBH_7_-9e5pQ

 

[Ragnarok]

Each weekend there is 3 sets of working AES Keys Sent to Tandberg Broadcaster boxes
this would be the main reason i believe that there is no picture found ,
So is it possible to find the 3 working sets of AES keys for this weekend ?
13,14,15 October ??
if someone has the valid dump of AES Keys or this weekends XML please pm me .
Thnx

Looks like a set for the IMG3EU feed, a set for the MX1 mux on Saturday for 3pm and a set for Arquiva feeds.

these could be implemented with a softcam selected by DES entitlment key Id say T 0084 AES00 ..... if present then that would override the default AES keys for that entitlement ID T 0000 as it is now. Currently we could be juggling with 3 sets of keys.

I wonder if the post processing has anything to do with the DVB-CSA2 key ladder.

 

[harshy]

It sounds like this post processing is something only professional receivers can do?

 

[campag5242]

The posted AES key is a new key of an Asian provider. So it's still valid, at least for the posted .ts file.

These are possible scenarios now:
- The in use AES `IV` can be different. It's possible to get consecutive DCWs with a different `IV` too.
Or
- The `IV` is correct, But the normal `CSA` is not in use.

Re the IV.

I looked at some old ED tag ecms (unfortunately I don't have many in my logs). There, the CW checksums were sent as 00's.

Looking at the current EC tag decrypted CWs, the checksums are random rubbish.

Might mean nothing at all, but it would be nice to see them as 00's all the time, or (just as reassuring) the correct checksum value.

ED's:
817028ed26000000c9d09aaa5e627c99edca05c319d24d61884c26889c6120857b4df0799076de163017e3
Active entitlement 00C9 D097A72F1E367A00  dCWs: BAD30600A2289A00:9A9577007AC86A00

807028ed26000000c9f74ff2e43685924f3b864fab5b256a1d5c8e6787b7539bc5f2d51c2e2666e5cb57e3
Active entitlement 00C9 D097A72F1E367A00  dCWs: BAD30600A2289A00:326D3E003C426900

817028ed26000000c92b02b0199991b324e72ef3325e92b2c5e3d0674b52e848fa39c1df61f5e47ccc0a3c
Active entitlement 00C9 D097A72F1E367A00  dCWs: 58CC7300EC38D800:326D3E003C426900

EC's:
2017/10/12 17:45:59 81702aec2800000084ffe24f4891bee41596102d0f92d8a5572e835db5868de974084ffd71a77beca8434957e3
Active entitlement 0084:4DB639FFD2F04500 AES key 02:7Fxxxxxxxxxxxxxxxxxxxxxxxxxxxx33  dCWs: 8D546DBC0736CAD5:7EACF862F9030CC7

2017/10/12 17:46:09 80702aec2800000084ffe227122ead255ae75f09bf326137f485a86d044e34c8ab65ecb186b08e315753a057e3
Active entitlement 0084:4DB639FFD2F04500 AES key 02:7Fxxxxxxxxxxxxxxxxxxxxxxxxxxxx33  dCWs: 8D546DBC0736CAD5:3C28017CD967454F

2017/10/12 17:46:19 81702aec2800000084ffe2d4bd867753cb2f45c0e34803466604f5c8e800fdeedf591c9f16a30cf8137b9e0063
Active entitlement 0084:4DB639FFD2F04500 AES key 02:7Fxxxxxxxxxxxxxxxxxxxxxxxxxxxx33  dCWs: 0520C55F1B7C8AFC:3C28017CD967454F

 

[fiji]

https://mega.nz/#!x08ETISS!MZtb9HbBuZcybyD8NhDzP7-PveP_r7O-OL1b77Bw0oQ

Emm keys found check pm .

 

[morgon]

A theory
They may be for more security
Send the New AES keys by EMAIL
Only for legal customers

So there's probably no way out :mecry:

So there is no hope

 

[ARA$H]

So there is no hope

We have active keys but the algorithm is not fixed
.So there is still a black image.....

 

[harshy]

We have active keys but the algorithm is not fixed
.So there is still a black image.....

I wonder what’s needed to overcome what I am guessing would once overcome give us decrypted video and audio.

 

[barney115]

Yes whatever issue is maybbe V-plug needs updated ?
or something else is missing in order to see picture
i do not think there is issues with AES Keys or ECM Keys anymore ..hopefully @ Anubis_IR can shed some light ?

 

[fiji]

All issue in tandbeg.mdl remeber before this was same condition
in older version .mdl file resolve this problem .

 

[Anubis_Ir]

Yes whatever issue is maybbe V-plug needs updated ?
or something else is missing in order to see picture
i do not think there is issues with AES Keys or ECM Keys anymore ..hopefully @ Anubis_IR can shed some light ?

We need to validate the `AES IV` we have (it's hard coded in the source code) and to do that, we need a working DCW. That's why I asked about the `CSA rainbow tables`.

 

[campag5242]

Hi Anubis_Ir - Look at the raw dCWs before checksum fixup below. Bad IV or something other than CSA?

Old ED tag ecms:
2016/10/12 00:00:00  817028ed26000000c9d09aaa5e627c99edca05c319d24d61884c26889c6120857b4df0799076de163017e3
Active entitlement 00C9:D097A72F1E367A00  dCWs: BAD306[B]00[/B]A2289A[B]00[/B]:9A9577[B]00[/B]7AC86A[B]00[/B]

2016/10/12 00:00:00 807028ed26000000c9f74ff2e43685924f3b864fab5b256a1d5c8e6787b7539bc5f2d51c2e2666e5cb57e3
Active entitlement 00C9:D097A72F1E367A00  dCWs: BAD306[B]00[/B]A2289A[B]00[/B]:326D3E[B]00[/B]3C4269[B]00[/B]

2016/10/10 00:00:00 817028ed26000000c92b02b0199991b324e72ef3325e92b2c5e3d0674b52e848fa39c1df61f5e47ccc0a3c
Active entitlement 00C9:D097A72F1E367A00  dCWs: 58CC73[B]00[/B]EC38D8[B]00[/B]:326D3E[B]00[/B]3C4269[B]00[/B]

The two decrypted ECMs Anubis_Ir posted, raw, without the CW checksum fixes:
2017/10/10 00:00:00 80702aec2800000084ffe1289e373be4c79cdfdd3c411fc4378be8f6b458db6dff4be0f58ab3789fb8b2272726
Active entitlement 0084:4DB639FFD2F04500 AES key 01:3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxx86  dCWs: B58F97[B]49[/B]7A3371[B]FA[/B]:D8CE94[B]1E[/B]35BDF2[B]5C[/B]

2017/10/10 00:00:00 81702aec2800000084ffe1399155d9077e935d096099db6d98f667ea017473c51c8a229207eb9d67f1fef09950
Active entitlement 0084:4DB639FFD2F04500 AES key 01:3Fxxxxxxxxxxxxxxxxxxxxxxxxxxxx86  dCWs: 7900A2[B]CE[/B]EBC501[B]44[/B]:D8CE94[B]1E[/B]35BDF2[B]5C[/B]

 

[harshy]

We need to validate the `AES IV` we have (it's hard coded in the source code) and to do that, we need a working DCW. That's why I asked about the `CSA rainbow tables`.

I would have searched but my laptop is broke :-(

 

[campag5242]

Forget my observation... I failed to RTFS... the checksums were never being set in the first place in the case of the ED tag.